It’s rare for an organization to quickly rise to prominence through the release of a new training course, but that’s exactly what eLearnSecurity did with the first release of their Penetration Testing Professional course back in 2010. This upstart company is based in Pisa, Italy with a location in the USA in Colorado as well, but the beauty is that their training is entirely online, so clearly travel is not required. This review covers the second release of Penetration Testing Professional (affectionately known as PTP2), which most notably contains expanded content and new lab environments.

The course is delivered through a web-based Flash interface. The presentation will be familiar to anyone who has experience with the first iteration of the course, but at the same time the overall feel is cleaner and more polished. A colleague was recently considering web app training, and he was torn between a book and this course. He stated something along the lines of, “My brain is telling me to be economical and just get a book, but my eyes are telling me to go with eLearnSecurity!” That statement sums up the visual experience perfectly.

Continue reading to see if they managed to carry that momentum into the rest of the new version of this course.

Actual usage of the interface is slick as well. Throughout the process of writing this review, there were only a few rare glitches in the interface such as having to advance and return to an animated slide to get it to play. Should any quirks occur, simply logging out and back in, or restarting the browser, will quickly remedy the problem (In all fairness, these few issues could have been a local Flash issue caused by something in one of the 30 other tabs that were open at the time).

Being web-based, it’s important for the student to have a relatively fast broadband connection. Students on slower connections may experience delays while slides load and videos buffer. There is unfortunately no offline (i.e. PDF, videos, etc.) or mobile content at this time. However, plans are said to be in the works to bring the course to mobile devices and possibly even TVs. Hopefully these plans come to fruition, because the current format would be perfect for iPads and other tablets.

Like the first version of the course, networking, systems, and web applications are the cornerstones of the content. Each of these sections contains 6-8 modules, and most modules contain well over 100 slides. The amount of detail per module will vary based on the topic. Some modules go in-depth with step-by-step instructions, and others provide a general background for an ancillary topic such as social engineering. The majority of the course consists of static slides, but numerous animated slides, interactive slides, videos, and lab breaks are interspersed throughout the course in order to engage the student and reinforce the material. Each module also provides additional resources for further study.

The syllabus and detailed content descriptions can be found here, but there are several items that should be highlighted. First of all is the general organization of the content of the course. There are three main sections, each authored by separate eLearnSecurity experts containing their own set of modules:

System Security Section

Module 1: Introduction

Module 2: Cryptography and Password Cracking

Module 3: Buffer Overflow

Module 4: Shellcoding

Module 5: Malware

Module 6: Rootkit coding

Network Security Section

Module 1: Information Gathering

Module 2: Scanning

Module 3: Enumeration

Module 4: Sniffing and MITM attacks

Module 5: Exploitation

Module 6: Post-exploitation

Module 7: Anonymity

Module 8: Social Engineering

Web Application Security Section

Module 1: Introduction

Module 2: Information Gathering

Module 3: Vulnerability assessment

Module 4: Cross site scripting

Module 5: SQL Injection

Module 6: Advanced Web Attacks

The modules in the System Security Section are undoubtedly improved. While it will likely still be the most complex section for those without development experience, it no longer feels like you’re just being thrown off the deep end. Some students may still have difficultly fully understanding the advanced topics, but those students should at least obtain a general understanding of shellcoding, rootkits, and malware along the way. The advanced Metasploit and post-exploitation materials are also very welcome additions. Finally, the sheer amount of new, original content is very impressive. This is not just the Italian version of an existing penetration testing/ethical hacking course; it undeniably stands on its own.

It is important to understand that this isn’t a novice course. It is intended for junior-level penetration testers who are already have the requisite knowledge to be in the field. Moderately experienced IT professionals who are interested in making a transition into penetration testing or gaining a better understanding of attacks in order to defend against them more effectively would also benefit from this course.

With that said, it should not be surprising that the course assumes a basic level of knowledge across the various domains. For example, Module 4: Sniffing and MITM attacks in the Network Security Section doesn’t define the OSI layer, but it uses that terminology throughout the material. This knowledge is expected to have been obtained from previous networking studies. As broad as this course is, there will likely be times where some extra web searching will be required to completely understand the material not familiar to the student. Someone who has a good handle on networking may be a wiz at reading packet captures but does not understand exploitation, and vice versa. The prerequisites are listed here, and it’s definitely recommended to review them prior to enrolling in the course. If the prerequisites seem too advanced, there is also a Penetration Testing Student course that may be a better fit for less experienced individuals.

It’s also important to note that this is not a “tools” course. The material has a genuine flow that contains practical advice for performing real-world penetration tests. You’re not just learning about tools in isolation; the knowledge and techniques can be strung together to perform an attack from start to finish. Penetration testing methodology and ethics are core themes that are prevalent in each module throughout the entire course.

The material is written in an informal and engaging manner. Humor is occasionally peppered in and may catch you off guard. “Web developers are known to be lazy,” was not an expected opening in one of the Web App modules. There are sporadic typos and a phrase occasionally doesn’t sound completely natural in English. That said, these errors are only cosmetic, and they ultimately do not take anything away from the technical content which is highly accurate. These wrinkles are also continuously being ironed out by the course authors, so this situation will improve over time.

Going through dozens of slides can become a bit monotonous. Fortunately, videos are regularly included at regular intervals throughout the material to provide a change of pace. The average length of the videos is approximately 20-30 minutes, but some are closer to an hour. Most importantly, the videos do an excellent job of reinforcing the material and providing further explanation; they aren’t simply recaps of the written material. For example, when discussing scanning with hping, the presenter loads Wireshark and explains what is going on behind-the-scenes. He doesn’t just repeat the commands verbatim and present the same output that was previously shown in the slides.

One of the most unique aspects of this course is the variety of ways the student can get hands-on experience with the material. A fictional company exists on the internet and can be used for a variety of the information gathering exercises. A LiveCD contains a vulnerable web application that is used in the Web Application Security Section as well as the eCPPT Silver exam. The Coliseum and Hera labs provide additional web and systems/networking practice opportunities, respectively. The Hera lab is included in all packages, and the Coliseum labs are an optional add-on. Both labs are recommended in order to obtain the complete experience.

The Coliseum Labs contains multiple versions of custom vulnerable web applications that offer progressively difficult exercises across 14 different labs (at the time of this writing). These labs were released prior to version 2 of the course, but they have been thoroughly integrated into the web application modules at this point. Another fun aspect of the course is that it thoroughly embraces its Italian origins. The student doesn’t perform exercises in the Coliseum, he or she engages in “Battles.” Nice touch.

These labs compliment the material well. The student is given enough information to get started on the exercise, but the techniques are not presented exactly the same way as in the slides, so critical thought is still required. Should you get stuck, you can receive tips on how to progress. These tips gradually provide more and more information. Therefore, they can still help the student overcome a sticking point without disclosing how to complete the entire exercise.

The Hera Labs are the massive new addition this time around. These labs consist of groups of virtual machines that are assigned to each individual student; they are not shared with other students. A web-based management console is used to start and stop the lab, as well as enable the OpenVPN connection used to connect to the lab environment. Each lab includes a lab guide that consists of two parts, the objectives and the solutions. The solutions are useful if you are absolutely stuck or want to see another perspective, but the objectives should obviously be attempted without reviewing the solution. There are currently six Hera labs available, but new labs are being released on a periodic basis. Approximately 30 Hera labs are expected to be available by the end of the year.

The labs start off very basic and may not initially appear to have much value (i.e. it’s easy enough to run an nmap scan against your home network). However, the difficulty and opportunities to experiment with new tools and techniques escalates quickly. In addition, even the basic labs have some aspects that are convenient or interesting. For example, there may not be any systems or devices on your home network that allow you to perform and Idle Scan.

Time for the labs can either be purchased by number of hours or number of consecutive days (Coliseum only allows days at the moment, but an hourly option should be available in the near future). While most people should be able to complete the predefined lab objectives with plenty of time left, regardless of the time option, your imagination is really the only limiting factor after that. There are ample opportunities to experiment with other tools and techniques; you are not limited to the objectives outlined in the lab guides. The hourly option does seem to be advantageous for more advanced users that will finish labs quickly. That time can then be carried over from month-to-month and used for new labs as they are released.

Another interesting aspect of the hourly option is that you can start and stop lab time as you please. You are not required to use one-hour increments, which is an enormous advantage over some other time-based labs. It’s extremely convenient to be able to jump in, try an exercise, and get back out without having to dedicate an entire hour to the lab (or burn an hour of time for ten minutes of actual use). Note: It’s extremely important to remember to stop the lab when you’re no longer using it, or you may exhaust all your time before you realized you left a lab running!

As with many courses, eLearnSecurity also offers a certification component with PTP2, the eLearnSecurity Certified Professional Penetration Tester (eCPPT). The eCPPT Silver certification exam is currently the same as it was in the previous version. The objectives are to perform a web application penetration test against the web application on the LiveCD and submit a written report. This was an initial disappointment, since there was a lot of room for expansion here. The certification exam was expected to include systems and networking components this time around. However, an eCPPT Gold certification is in the works. This will take place in the Hera labs and include systems, networking, and web application objectives. The Gold certification will officially be announced in May, and the actual exam offering will follow shortly after. A transition path is expected to be available for individuals who are already eCPPT Silver certified.

In conclusion, the second version of Penetration Testing Professional is an undeniable success. This course will develop and solidify core penetration testing skills and put students on a path to obtain more advanced knowledge and skills. The breadth of material and variety of hands-on exercises are an exceptional value and learning experience for anyone who is interested in penetration testing. This updated release firmly establishes eLearnSecurity as a quality and innovative training provider, and future courses and content updates are eagerly anticipated.

Andrew Johnson (CISSP, GWAPT, GPEN, GCIH, GSEC, CEH, eCPPT, OSWP, CWSP, CCNA:S, MCSE:S, et al) has over a decade of experience in information technology and security. He has provided information security services, including penetration testing, social engineering, and risk management, to over a hundred financial institutions, businesses, and other organizations across the country. He currently manages information security for the US operations of a financial services company. Andrew is a perpetual learner and enjoys sharing knowledge with others. He is a SANS Mentor, Advisory Board Member, and Exam Question Writer. His personal security blog is at www.infosiege.net, and he can be followed @infosiege.